We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Check for the unique accounts in Endpoint Account Name Rule Advanced Query

binoy
New Contributor II
New Contributor II

We have an Endpoint for Active Directory accounts. We want to create unique AD accounts for new joiners. For eg. for user 1 with name 'Amit Sharma', Saviynt should create an AD account with DN: 'CN=Amit Sharma,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local' and for another user2 with same name 'Amit Sharma', Saviynt should create another AD account with DN: ' CN=Amit Sharma1,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local'. We have configured the "Account Name Rule" with Advanced Config because we want the distinguishedName as the Account name.

concat('CN=',users.displayname,',OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')#concat('CN=',users.displayname,'1,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')

But Saviynt always attempts to create a task with Account name: 'CN=Amit Sharma,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local' for the 2nd user instead of 'CN=Amit Sharma1' and the Task status results in 'Error' with error message: 'Account with same name already associated to another user - (299849) in the same endpoint, so task is not processed'.

It does not even go to the ADSI connector configuration in the logs. Security System is configured with ADSI Connector.

We don't want to use Basic Config Auto Increment option as it does not satisfy our DN requirement. We also do not want to use FN_EIC_SEQGEN DB function because it will always append a number for all AD accounts even if they are unique.

Is this possible in Saviynt? The same works in 'System Username Generation Rule' and 'Email Generation Rule'.

The Saviynt logs has a message: "Checking for endpoint : 6 and entitlements-NULL; ExistingAccObj-null" which leads me to suspect it maybe a Saviynt bug.

14 REPLIES 14

rushikeshvartak
All-Star
All-Star

Remove - Check Unique Account :  & Run microservices Job

 

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Thanks @rushikeshvartak. I removed the Check Unique Account and ran the microservice job. It didn't help. I can see in the logs: ExistingAccObj-null. Saviynt didn't detect an existing account object before creating the Task. But later when executing the Task, Task status results in 'Error' with error message: 'Account with same name already associated to another user - (299849) in the same endpoint, so task is not processed'.

binoy
New Contributor II
New Contributor II

Hi

This suggestion didn't work. Is there any other suggestion please or is it a bug that Support needs to look into?

Did you raise new request


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

When you raise new account does account name properly shown ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @binoy,

Can you try to add  "All" in Check Unique Account and try again.

Thanks.

binoy
New Contributor II
New Contributor II

Hi @sudeshjaiswal 

I've tried with 'All' in Check Unique Account. It didn't help and its still the same error.

Thanks

delete and recreate rule


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Tried that. Switched to 'Basic Config' which deleted the previous rule and switched back to 'Advanced Config'. Did not help.

This is a simplified version of our Advanced Config, we have to specify the whole DN as the Account ID because of two AD domains.

concat('CN=',users.displayname,',OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')#concat('CN=',users.displayname,'1,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')#concat('CN=',users.displayname,'2,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')

 

Issue still exists ?

does second account name populate on ars ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak 

It works from ARS. There is a log statement "Account CN=... exists so ignoring rule..." and it evaluates the 2nd user account name rule.

However, it still fails from Technical Rule. The issue is it does not detect the existing account.

Its looks like defect, Please raise support ticket


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

binoy
New Contributor II
New Contributor II

Thanks @rushikeshvartak 

Isn't this a basic use case that other customers would have implemented already?

ideally it should work but via technical rule its not printing rule itself


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.